[132757] in cryptography@c2.net mail archive
Re: More US bank silliness
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Sep 8 12:47:06 2008
From: Sam Hartman <hartmans@mit.edu>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Cc: cryptography@metzdowd.com
Date: Mon, 08 Sep 2008 11:06:19 -0400
In-Reply-To: <E1KcKKc-0000Fm-D1@wintermute01.cs.auckland.ac.nz> (Peter
Gutmann's message of "Mon, 08 Sep 2008 01:29:34 +1200")
>>>>> "Peter" == Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:
Peter> On a semi-related topic, it'd be interesting to get some
Peter> discussion about FF3 removing the FF2 SSL indicators of the
Peter> padlock and (more visibly) the background colour-change for
Peter> the URL bar when SSL is active and replacing it with a
Peter> spoof-friendly indicator that's part of the favicon,
Peter> i.e. part of the attacker-controlled content. The URL bar
Peter> colouring was by far the most visible security indicator
Peter> that any web browser had, the giant leap backwards of
Peter> moving to a near-invisible blue border around the favicon
Peter> does nothing to indicate security and is trivially spoofed
Peter> by putting a blue border around the favicon. There's a
Peter> bugzilla bug filed against it,
Peter> https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with
Peter> inevitable dups,
Peter, list, the W3C W Web Security Context working group is in the
final week of a public last call on their user interface guidelines.
These guidelines take a lookboth at the balance between EV-certs and
at user interface for security indicators.
Comments need to be received by September 15. The draft is at
http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ and my take is at
http://www.painless-security.com/blog/2008/08/w3sc-lc/ .
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
